Restricting access by device category
An administrator can restrict access to devices that do not support device security using HCL Traveler or devices by their device type or user agent values.
Device Security
The setting Prohibit devices incapable of security enablement can be enacted by device category to prevent devices that do not support security enablement from syncing with HCL Traveler. Security enablement includes the ability of HCL Traveler to remotely wipe a device, as well as the ability to enforce usage of a device password. This setting is defined in both the Default device preference and security setting values and the Domino® HCL Traveler policy settings document (described in Creating an HCL Traveler policy settings document).
- Apple Mail Whether an Apple device is secured or unsecured is determined by the level of
the Exchange ActiveSync protocol it uses and whether any of the enabled security settings are not
supported by that protocol level.
Protocol level 2.5 does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".
Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".
For example, if you enable Require device password and Prohibit unencrypted devices then only an Apple device using Exchange ActiveSync 12.1 or later would be able to sync with the HCL Traveler server.
- Android: Enabling Prohibit devices incapable of security enablement prevents
Android devices meeting the following criteria from syncing with the HCL Traveler server:
- Devices with Android OS level less than 2.2
- Devices where the user has not enabled the Device Administrator when prompted
When a device is unable to sync with the server due to Prohibit device incapable of security enablement, a status of "403 (Forbidden)" is returned to the device. Also, the value "Prohibit" appears in the administration application device security view and device document Access field.
HTTP User-Agent
The simplest way to restrict device access is using the NTS_USER_AGENT_ALLOWED notes.ini settings for each device type. There is a notes.ini for each known device type, NTS_USER_AGENT_ALLOWED_OTHER for all devices that don't fall into one of the known device types, and NTS_USER_AGENT_ALLOWED_REGEX as an additional check for additional granularity if needed (default is check that allows everything).
- NTS_USER_AGENT_ALLOWED_ANDROID=true, NTS_USER_AGENT_ALLOWED_IBM_APPLE=true, NTS_USER_AGENT_ALLOWED_REGEX=.* (all the default values) and all other NTS_USER_AGENT_ALLOWED_ notes.ini's changed to false, allows only the HCL Verse clients.
- NTS_USER_AGENT_ALLOWED_APPLE=true, NTS_USER_AGENT_ALLOWED_REGEX=.* (all the default values) and all other NTS_USER_AGENT_ALLOWED_ notes.ini's changed to false, allows only the built-in Apple clients.
- NTS_USER_AGENT_ALLOWED_ANDROID=true, NTS_USER_AGENT_ALLOWED_IBM_APPLE=true, NTS_USER_AGENT_ALLOWED_APPLE=true, NTS_USER_AGENT_ALLOWED_REGEX=.* (all the default values) and all other NTS_USER_AGENT_ALLOWED_ notes.ini's changed to false, allows only the HCL Verse and built-in Apple clients.
- NTS_USER_AGENT_ALLOWED_OTHER=false and all other NTS_USER_AGENT_ALLOWED_ notes.ini's left as their default values, allows only known client types.
-
The following tables list user agents for supported clients.
The HCL Verse for Apple user agent changes based on the client build. The Apple
Mail client user agent is based on the hardware plus the OS level. Note: Some examples of known Apple user agents are presented in these tables, but this is not a comprehensive list. One method to determine the exact user agent that a device is using for synchronization is to review the HCL Traveler usage log file after a new device synchronizes with the server. The file can be found here: <Domino Data Directory>\IBM_TECHNICAL_SUPPORT\traveler\logs\NTSUsage_DATE_TIME.logNote: Some of the build numbers in the following tables are examples and may change over time as software versions on the device are updated.
| Release | User agent |
|---|---|
| HCL Verse for Android | Lotus Traveler Android 12.0.9Note: Starting with HCL Verse for Android
12.0.0, the user agent string includes the matching client
software level. Earlier versions supplied the same user agent
string of "Lotus Traveler Android 9.0", regardless of the actual
client software level. |
| Device | User agent |
|---|---|
| HCL Verse for iPhone | Traveler-iOS-iPhone/9.5.1.2018081415 |
| HCL Verse for iPad | Traveler-iOS-iPad/9.5.0.2018070911 |
| Apple iPhone (OS 9) | Apple-iPhone7C2/1301.344 |
| Apple iPhone (OS 8) | Apple-iPhone7C2/1202.466 |
| HCL Traveler Companion | TravelerCompanion/9.1.3.2017111715
CFNetwork/902.2 Darwin/17.7.0 |
| HCL Traveler To Do for iPad | TravelerToDo-iPad/9.1.2.20180813150 |
| HCL Traveler To Do for iPhone | TravelerToDo-iPhone/9.1.2.2018081315 |
| Device | User agent |
|---|---|
| Windows™ 10 Mobile | MSFT-WIN-4/10.0.10581 |
| Windows™ Phone 8.0 | MSFT-WP/8.0 |
| Windows™ Phone 7.8 | MSFT-WP/7.10.8853
|
| Windows™ Phone 7.5 | MSFT-WP/7.10.8773
|
| HCL Traveler Companion 1.1.0 | TravelerCompanion
WP/1.1.0 |
| Device | User agent |
|---|---|
| Windows™ RT | WindowsMail/16.4.4406.1205 |
| Device | User agent |
|---|---|
| Z10 | RIM-Z10-STL100-1/10.0.10.261 |
| Blackberry 10.x | BLACKBERRY-Z10-STL100-1/10.0.10.261 |
| Device | User agent |
|---|---|
| MS Outlook | IMSMO1.0.0 |
HCL Traveler does not explicitly support the IBM Maas360 clients. The following user agents are provided as a reference only.
| Device | User agent |
|---|---|
| Android/4.1-EAS-1.3 | MaaS360 on
Android |
| Apple-iPhone | MaaS360 on Apple
Note: This agent is very generic. As a result,
if you choose to block this, you may also block other
aspects of your system. |
| Device | User agent |
|---|---|
| Apple-iPhone | Apple-iPhone/1701.878/AirWatch BoxerManaged; (iOS
13.1.3) Version 5.12.0/4747 |
| Android | AirWatch Boxer (HTC Desire 10 lifestyle; Android
6.0.1) Version 5.10.0.1/1112 |
| Device | User agent |
|---|---|
| Lenovo Laptop | Apple-iPhone WorxMail/19.5.5-29 (LENOVOLENOVOTBX704L;
7.1.1) |
| Device | User agent |
|---|---|
| Touchdown application |
Apple-TouchDown(MSRPC)/8.4.00086/ENCRYPTDEVICE,ENCRYPTSD |
| Blackberry Work Connect | BLACKBERRY-WorkConnect:BLACKBERRY-WorkConnect/3.0 |
| Blackberry Work Connect | Android:Android/4.4.3
BLACKBERRY-WorkConnect/3.0 |
| Blackberry Work Connect | Android/4.4.4
BLACKBERRY-WorkConnect/3.0 |
| OpenPeak | OP/4.2 |
| AT&T Toggle | Toggle/3.0 |
| Microsoft Outlook Mobile (iOS and Android) | Outlook-iOS-Android/1.0 |
-
Apple- all Apple devices are allowed to sync, but no other devices. Apple-iPhone/7- only Apple iPhones (not iPods or iPads) using OS 3 are allowed to sync (Windows Mobile® and Nokia devices are not allowed either).Lotus Traveler Android- Only Android devices are allowed to sync.NTS_USER_AGENT_ALLOWED_REGEX=^((?!((Toggle)|(Outlook-iOS-Android))).)*$- This blocks Toggle and Outlook Mobile, all others allowed. Note that this only blocks certain devices. A more secure setup would be to only allow the explicit devices you want to be allowed. This way, it is not necessary to update this portion each time you find a new device you want to block.
Microsoft Exchange ActiveSync Protocol
If the devices are syncing using the Microsoft Exchange ActiveSync Protocol (not used by
the Verse iOS, Verse Android or HCL Traveler for Microsoft Outlook clients), you may
be able to restrict older devices by removing support for older protocol levels
leaving only the newer protocol levels which the older devices do not support. The
supported EAS protocol versions are controlled via the
NTS_AS_PROTOCOL_VERSIONS notes.ini. The server supports 2.5,
12.0, 12.1, 14.0, 14.1, 16.0, and 16.1.
NTS_AS_PROTOCOL_VERSIONS=2.5,12.0,12.1,14.0,14.1,16.0,16.1